Microsoft’s long-running Kerberos hardening campaign is entering its final, non-reversible phase: the temporary registry workarounds that allowed administrators to keep weak certificate mappings and “Compatibility” behavior will be removed with the September 2025 servicing wave, forcing everyone to adopt strong certificate binding or implement explicit strong mappings ahead of the deadline.
Microsoft began this multi-year Kerberos hardening program after researchers and incident responders showed that certain certificate-to-account mappings could be spoofed or abused to escalate privileges in Active Directory environments. The initial fixes shipped with the May 10, 2022 updates and introduced new KDC behavior that prefers strong mappings and a new certificate SID extension; to soften operational impact Microsoft provided Compatibility and audit phases and two temporary registry workarounds while customers migrated their PKI and certificate issuance processes. Those temporary controls — the KDC registry flag StrongCertificateBindingEnforcement and the CertificateBackdatingCompensation setting — were always described as short-term mitigation levers. Microsoft’s support guidance now makes clear the final enforcement window closes in September 2025: after the Windows updates released on or after September 10, 2025, those registry keys will no longer be supported and the KDC will not accept weak certificate mappings.
Background
Microsoft began this multi-year Kerberos hardening program after researchers and incident responders showed that certain certificate-to-account mappings could be spoofed or abused to escalate privileges in Active Directory environments. The initial fixes shipped with the May 10, 2022 updates and introduced new KDC behavior that prefers strong mappings and a new certificate SID extension; to soften operational impact Microsoft provided Compatibility and audit phases and two temporary registry workarounds while customers migrated their PKI and certificate issuance processes. Those temporary controls — the KDC registry flag StrongCertificateBindingEnforcement and the CertificateBackdatingCompensation setting — were always described as short-term mitigation levers. Microsoft’s support guidance now makes clear the final enforcement window closes in September 2025: after the Windows updates released on or after September 10, 2025, those registry keys will no longer be supported and the KDC will not accept weak certificate mappings. What Microsoft is changing (exact mechanics)
StrongCertificateBindingEnforcement: what it does and what’s changing
- Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
- Value name: StrongCertificateBindingEnforcement (REG_DWORD)
- Common values (behavior summary):
- 0 — disable strong mapping checks (not recommended)
- 1 — Compatibility mode: allow weak mappings and use fallback logic (initial rollout default)
- 2 — Enforcement: require strong mapping (deny if not strongly mapped)
CertificateBackdatingCompensation: what it allowed
Some environments used old certificates that predated account creation (for example, certificates re-used across migrations or user re-creation). The CertificateBackdatingCompensation registry value allowed domain controllers to accept such certificates within a configurable time window (expressed in seconds). Microsoft documented the allowed values (e.g., approximate seconds for 50, 25, 10, 5, 3 and 1 years) and warned that this is strictly a temporary workaround; weak mappings and backdating compensation are not compatible with the full enforcement that will be mandatory after the September 2025 update.Audit and enforcement timeline (important dates)
- May 10, 2022 — initial update introduced Compatibility mode and the audit events for non‑strong mappings.
- February 11, 2025 — Windows security updates moved many devices to Full Enforcement by default unless the compatibility registry was explicitly used earlier. Administrators still had a temporary escape hatch to revert to Compatibility mode.
- September 10, 2025 — final date after which the Compatibility registry keys (StrongCertificateBindingEnforcement and CertificateBackdatingCompensation) are unsupported; weak certificate mappings will no longer be allowed.
Why this matters: security benefits and operational friction
Security upside (why Microsoft is doing this)
- Closing real attack paths. The 2022 mitigations addressed CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923, vulnerabilities that allowed crafted certificates and mapping ambiguities to be abused for privilege escalation. Enforcing strong mappings and validating the new SID extension significantly reduces certificate spoofing risk in Kerberos PKINIT flows.
- Rationalizing certificate-based auth. Moving to a small set of strong mapping methods reduces complexity and ambiguity in how certificates are mapped to AD accounts; that helps upstream detection and reduces attack surface across large, heterogeneous estates. (support.microsoft.com, support.microsoft.com, techcommunity.microsoft.com, techcommunity.microsoft.com, techcommunity.microsoft.com, techcommunity.microsoft.com, support.microsoft.com, techcommunity.microsoft.com, support.microsoft.com, Microsoft to Retire Temporary Registry Keys for Kerberos Security Fixes Next Month
